tips for a better reading experience
TRANSCRIPT
COPYRIGHTPROTECTEDDOCUMENT©ISO2012Allrightsreserved.Unlessotherwisespecified,nopartofthispublicationmaybereproducedorutilizedinanyformorbyanymeans,electronicormechanical,includingphotocopyingandmicrofilm,withoutpermissioninwritingfromeitherISOattheaddressbeloworISO’smemberbodyinthecountryoftherequester.
ISOcopyrightofficeCasepostale56•CH-1211Geneva20Tel.+41227490111Fax+41227490947E-mailcopyright@iso.orgWebwww.iso.org
PublishedinSwitzerland
TipsforaBetterReadingExperience— DisableFullJustification:InSettings,gotoiBooks,thentapOntoturnthesettingoff.
— EnlargeImages:Someimagesmayappeartoosmalltoseetheirdetails.Double-tapanimagetotemporarilyincreaseit’sviewsize.Double-taptheimageagaintoresumereading.
— EnlargeTables:Sometablesaretoolargetofitonasinglepage.Asaresult,sometextcanbeclippedatthebottom,top,orrightedgeofthepage.Double-tapatabletoviewtheentiretableinfullscreenmode.Whileviewingatable,youcanzoominandoutbypinchingtwofingerstogetherorapart.Toresumereading,double-tapthetableagain.
ContentsForeword
0Introduction0.1General0.2ThePlan-Do-Check-Act(PDCA)model0.3ComponentsofPDCAinthisInternationalStandard
1Scope
2Normativereferences
3Termsanddefinitions
4Contextoftheorganization4.1Understandingoftheorganizationanditscontext4.2Understandingtheneedsandexpectationsofinterestedparties4.3Determiningthescopeofthebusinesscontinuitymanagementsystem4.4Businesscontinuitymanagementsystem
5Leadership5.1Leadershipandcommitment5.2Managementcommitment5.3Policy5.4Organizationalroles,responsibilitiesandauthorities
6Planning6.1Actionstoaddressrisksandopportunities6.2Businesscontinuityobjectivesandplanstoachievethem
7Support7.1Resources7.2Competence7.3Awareness7.4Communication7.5Documentedinformation
8Operation8.1Operationalplanningandcontrol8.2Businessimpactanalysisandriskassessment8.3Businesscontinuitystrategy8.4Establishandimplementbusinesscontinuityprocedures8.5Exercisingandtesting
9Performanceevaluation9.1Monitoring,measurement,analysisandevaluation9.2Internalaudit
9.3Managementreview
10Improvement10.1Nonconformityandcorrectiveaction10.2Continualimprovement
Bibliography
ForewordISO(theInternationalOrganizationforStandardization)isaworldwidefederationofnationalstandardsbodies(ISOmemberbodies).TheworkofpreparingInternationalStandardsisnormallycarriedoutthroughISOtechnicalcommittees.Eachmemberbodyinterestedinasubjectforwhichatechnicalcommitteehasbeenestablishedhastherighttoberepresentedonthatcommittee.Internationalorganizations,governmentalandnon-governmental,inliaisonwithISO,alsotakepartinthework.ISOcollaboratescloselywiththeInternationalElectrotechnicalCommission(IEC)onallmattersofelectrotechnicalstandardization.
InternationalStandardsaredraftedinaccordancewiththerulesgivenintheISO/IECDirectives,Part2.
ThemaintaskoftechnicalcommitteesistoprepareInternationalStandards.DraftInternationalStandardsadoptedbythetechnicalcommitteesarecirculatedtothememberbodiesforvoting.PublicationasanInternationalStandardrequiresapprovalbyatleast75%ofthememberbodiescastingavote.
Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.ISOshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrights.
ISO22301waspreparedbyTechnicalCommitteeISO/TC223,Societalsecurity.
ThiscorrectedversionofISO22301:2012incorporatesthefollowingcorrections:
— firstlistin6.1changedfromanumberedtoanunnumberedlist;
— commasaddedattheendoflistitemsin7.5.3and8.3.2;
— bibliographyitems[19]and[20]separated,whichweremergedintheoriginal;
— fontsizeadjustedinseveralplaces.
0Introduction0.1 GeneralThisInternationalStandardspecifiesrequirementsforsettingupandmanaginganeffectiveBusinessContinuityManagementSystem(BCMS).
ABCMSemphasizestheimportanceof
— understandingtheorganization’sneedsandthenecessityforestablishingbusinesscontinuitymanagementpolicyandobjectives,
— implementingandoperatingcontrolsandmeasuresformanaginganorganization’soverallcapabilitytomanagedisruptiveincidents,
— monitoringandreviewingtheperformanceandeffectivenessoftheBCMS,and
— continualimprovementbasedonobjectivemeasurement.
ABCMS,likeanyothermanagementsystem,hasthefollowingkeycomponents:
a) apolicy;
b) peoplewithdefinedresponsibilities;
c) managementprocessesrelatingto
1) policy,
2) planning,
3) implementationandoperation,
4) performanceassessment,
5) managementreview,and
6) improvement;
d) documentationprovidingauditableevidence;and
e) anybusinesscontinuitymanagementprocessesrelevanttotheorganization.
Businesscontinuitycontributestoamoreresilientsociety.Thewidercommunityandtheimpactoftheorganization’senvironmentontheorganizationandthereforeotherorganizationsmayneedtobeinvolvedintherecoveryprocess.
0.2 ThePlan-Do-Check-Act(PDCA)modelThisInternationalStandardappliesthe“Plan-Do-Check-Act”(PDCA)modeltoplanning,establishing,implementing,operating,monitoring,reviewing,maintainingandcontinuallyimprovingtheeffectivenessofanorganization’sBCMS.
Thisensuresadegreeofconsistencywithothermanagementsystemsstandards,suchasISO9001Qualitymanagementsystems,ISO14001,Environmentalmanagementsystems,ISO/IEC27001,Informationsecuritymanagementsystems,ISO/IEC20000-1,Informationtechnology—Servicemanagement,andISO28000,Specificationforsecuritymanagementsystemsforthesupplychain,therebysupporting
consistentandintegratedimplementationandoperationwithrelatedmanagementsystems.
Figure1illustrateshowaBCMStakesasinputsinterestedparties,requirementsforcontinuitymanagementand,throughthenecessaryactionsandprocesses,producescontinuityoutcomes(i.e.managedbusinesscontinuity)thatmeetthoserequirements.
Figure1—PDCAmodelappliedtoBCMSprocesses
Table1—ExplanationofPDCAmodel
Plan(Establish)
Establishbusinesscontinuitypolicy,objectives,targets,controls,processesandproceduresrelevanttoimprovingbusinesscontinuityinordertodeliverresultsthatalignwiththeorganization’soverallpoliciesandobjectives.
Do(Implementandoperate)
Implementandoperatethebusinesscontinuitypolicy,controls,processesandprocedures.
Check(Monitorandreview)
Monitorandreviewperformanceagainstbusinesscontinuitypolicyandobjectives,reporttheresultstomanagementforreview,anddetermineandauthorizeactionsforremediationandimprovement.
Act(Maintainandimprove)
MaintainandimprovetheBCMSbytakingcorrectiveaction,basedontheresultsofmanagementreviewandreappraisingthescopeoftheBCMSandbusinesscontinuitypolicyandobjectives.
0.3 ComponentsofPDCAinthisInternationalStandardInthePlan-Do-Check-ActmodelasshowninTable1,Clause4throughClause10inthisInternationalStandardcoverthefollowingcomponents.
— Clause4isacomponentofPlan.ItintroducesrequirementsnecessarytoestablishthecontextoftheBCMSasitappliestotheorganization,aswellasneeds,requirements,andscope.
— Clause5isacomponentofPlan.Itsummarizestherequirementsspecifictotopmanagement’srolein
theBCMS,andhowleadershiparticulatesitsexpectationstotheorganizationviaapolicystatement.
— Clause6isacomponentofPlan.ItdescribesrequirementsasitrelatestoestablishingstrategicobjectivesandguidingprinciplesfortheBCMSasawhole.ThecontentofClause6differsfromestablishingrisktreatmentopportunitiesstemmingfromriskassessment,aswellasbusinessimpactanalysis(BIA)derivedrecoveryobjectives.
NOTE ThebusinessimpactanalysisandriskassessmentprocessrequirementsaredetailedinClause8.
— Clause7isacomponentofPlan.ItsupportsBCMSoperationsastheyrelatetoestablishingcompetenceandcommunicationonarecurring/as-neededbasiswithinterestedparties,whiledocumenting,controlling,maintainingandretainingrequireddocumentation.
— Clause8isacomponentofDo.Itdefinesbusinesscontinuityrequirements,determineshowtoaddressthemanddevelopstheprocedurestomanageadisruptiveincident.
— Clause9isacomponentofCheck.Itsummarizesrequirementsnecessarytomeasurebusinesscontinuitymanagementperformance,BCMScompliancewiththisInternationalStandardandmanagement’sexpectations,andseeksfeedbackfrommanagementregardingexpectations.
— Clause10isacomponentofAct.ItidentifiesandactsonBCMSnon-conformancethroughcorrectiveaction.
Societalsecurity—Businesscontinuitymanagementsystems—Requirements1 ScopeThisInternationalStandardforbusinesscontinuitymanagementspecifiesrequirementstoplan,establish,implement,operate,monitor,review,maintainandcontinuallyimproveadocumentedmanagementsystemtoprotectagainst,reducethelikelihoodofoccurrence,preparefor,respondto,andrecoverfromdisruptiveincidentswhentheyarise.
TherequirementsspecifiedinthisInternationalStandardaregenericandintendedtobeapplicabletoallorganizations,orpartsthereof,regardlessoftype,sizeandnatureoftheorganization.Theextentofapplicationoftheserequirementsdependsontheorganization’soperatingenvironmentandcomplexity.
ItisnottheintentofthisInternationalStandardtoimplyuniformityinthestructureofaBusinessContinuityManagementSystem(BCMS),butforanorganizationtodesignaBCMSthatisappropriatetoitsneedsandthatmeetsitsinterestedparties’requirements.Theseneedsareshapedbylegal,regulatory,organizationalandindustryrequirements,theproductsandservices,theprocessesemployed,thesizeandstructureoftheorganization,andtherequirementsofitsinterestedparties.
ThisInternationalStandardisapplicabletoalltypesandsizesoforganizationsthatwishto
a) establish,implement,maintainandimproveaBCMS,
b) ensureconformitywithstatedbusinesscontinuitypolicy,
c) demonstrateconformitytoothers,
d) seekcertification/registrationofitsBCMSbyanaccreditedthirdpartycertificationbody,or
e) makeaself-determinationandself-declarationofconformitywiththisInternationalStandard.
ThisInternationalStandardcanbeusedtoassessanorganization’sabilitytomeetitsowncontinuityneedsandobligations.
2 NormativereferencesThefollowingdocuments,inwholeorinpart,arenormativelyreferencedinthisdocumentandareindispensableforitsapplication.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument(includinganyamendments)applies.
Therearenonormativereferences.
3 TermsanddefinitionsForthepurposesofthisdocument,thefollowingtermsanddefinitionsapply.
3.1activityprocessorsetofprocessesundertakenbyanorganization(oronitsbehalf)thatproducesorsupportsoneormoreproductsandservicesEXAMPLE Suchprocessesincludeaccounts,callcentre,IT,manufacture,distribution.
3.2auditsystematic,independentanddocumentedprocessforobtainingauditevidenceandevaluatingitobjectivelytodeterminetheextenttowhichtheauditcriteriaarefulfilledNOTE1 Anauditcanbeaninternalaudit(firstparty)oranexternalaudit(secondpartyorthirdparty),anditcanbeacombinedaudit(combiningtwoormoredisciplines).
NOTE2 “Auditevidence”and“auditcriteria”aredefinedinISO19011.
3.3businesscontinuitycapabilityoftheorganizationtocontinuedeliveryofproductsorservicesatacceptablepredefinedlevelsfollowingdisruptiveincident
[SOURCE:ISO22300]
3.4businesscontinuitymanagementholisticmanagementprocessthatidentifiespotentialthreatstoanorganizationandtheimpactstobusinessoperationsthosethreats,ifrealized,mightcause,andwhichprovidesaframeworkforbuildingorganizationalresiliencewiththecapabilityofaneffectiveresponsethatsafeguardstheinterestsofitskeystakeholders,reputation,brandandvalue-creatingactivities
3.5businesscontinuitymanagementsystemBCMSpartoftheoverallmanagementsystemthatestablishes,implements,operates,monitors,reviews,maintainsandimprovesbusinesscontinuityNOTE Themanagementsystemincludesorganizationalstructure,policies,planningactivities,responsibilities,procedures,processesandresources.
3.6businesscontinuityplandocumentedproceduresthatguideorganizationstorespond,recover,resume,andrestoretoapre-definedlevelofoperationfollowingdisruptionNOTE Typicallythiscoversresources,servicesandactivitiesrequiredtoensurethecontinuityofcriticalbusinessfunctions.
3.7businesscontinuityprogrammeongoingmanagementandgovernanceprocesssupportedbytopmanagementandappropriatelyresourcedtoimplementandmaintainbusinesscontinuitymanagement
3.8businessimpactanalysisprocessofanalyzingactitivitesandtheeffectthatabusinessdisruptionmighthaveuponthem
[SOURCE:ISO22300]
3.9competenceabilitytoapplyknowledgeandskillstoachieveintendedresults
3.10conformityfulfilmentofarequirement
[SOURCE:ISO22300]
3.11continualimprovementrecurringactivitytoenhanceperformance
[SOURCE:ISO22300]
3.12correctionactiontoeliminateadetectednonconformity
[SOURCE:ISO22300]
3.13correctiveactionactiontoeliminatethecauseofanonconformityandtopreventrecurrenceNOTE Inthecaseofotherundesirableoutcomes,actionisnecessarytominimizeoreliminatecausesandtoreduceimpactorpreventrecurrence.Suchactionsfalloutsidetheconceptof“correctiveaction”inthesenseofthisdefinition.
[SOURCE:ISO22300]
3.14documentinformationanditssupportingmediumNOTE1 Themediumcanbepaper,magnetic,electronicoropticalcomputerdisc,photographormastersample,oracombinationthereof.
NOTE2 Asetofdocuments,forexamplespecificationsandrecords,isfrequentlycalled“documentation”.
3.15documentedinformationinformationrequiredtobecontrolledandmaintainedbyanorganizationandthemediumonwhichitiscontainedNOTE1 Documentedinformationcanbeinanyformatandonanymediafromanysource.
NOTE2 Documentedinformationcanreferto
— themanagementsystem,includingrelatedprocesses;
— informationcreatedinorderfortheorganizationtooperate(documentation);
— evidenceofresultsachieved(records).
3.16effectivenessextenttowhichplannedactivitiesarerealizedandplannedresultsachieved
[SOURCE:ISO22300]
3.17eventoccurrenceorchangeofaparticularsetofcircumstances
NOTE1 Aneventcanbeoneormoreoccurrences,andcanhaveseveralcauses.
NOTE2 Aneventcanconsistofsomethingnothappening.
NOTE3 Aneventcansometimesbereferredtoasan“incident”or“accident”.
NOTE4 Aneventwithoutconsequencesmayalsobereferredtoasa“nearmiss”,“incident”,“nearhit”,“closecall”.
[SOURCE:ISO/IECGuide73]
3.18exerciseprocesstotrainfor,assess,practice,andimproveperformanceinanorganizationNOTE1 Exercisescanbeusedfor:validatingpolicies,plans,procedures,training,equipment,andinter-organizationalagreements;clarifyingandtrainingpersonnelinrolesandresponsibilities;improvinginter-organizationalcoordinationandcommunications;identifyinggapsinresources;improvingindividualperformance;andidentifyingopportunitiesforimprovement,andcontrolledopportunitytopracticeimprovisation.
NOTE2 Atestisauniqueandparticulartypeofexercise,whichincorporatesanexpectationofapassorfailelementwithinthegoalorobjectivesoftheexercisebeingplanned.
[SOURCE:ISO22300]
3.19incidentsituationthatmightbe,orcouldleadto,adisruption,loss,emergencyorcrisis
[SOURCE:ISO22300]
3.20infrastructuresystemoffacilities,equipmentandservicesneededfortheoperationofanorganization
3.21interestedpartystakeholderpersonororganizationthatcanaffect,beaffectedby,orperceivethemselvestobeaffectedbyadecisionoractivityNOTE Thiscanbeanindividualorgroupthathasaninterestinanydecisionoractivityofanorganization.
3.22internalauditauditconductedby,oronbehalfof,theorganizationitselfformanagementreviewandotherinternalpurposes,andwhichmightformthebasisforanorganization’sself-declarationofconformityNOTE Inmanycases,particularlyinsmallerorganizations,independencecanbedemonstratedbythefreedomfromresponsibilityfortheactivitybeingaudited.
3.23invocationactofdeclaringthatanorganization’sbusinesscontinuityarrangementsneedtobeputintoeffectinordertocontinuedeliveryofkeyproductsorservices
3.24managementsystemsetofinterrelatedorinteractingelementsofanorganizationtoestablishpoliciesandobjectives,and
processestoachievethoseobjectivesNOTE1 Amanagementsystemcanaddressasingledisciplineorseveraldisciplines.
NOTE2 Thesystemelementsincludetheorganization’sstructure,rolesandresponsibilities,planning,operation,etc.
NOTE3 Thescopeofamanagementsystemcanincludethewholeoftheorganization,specificandidentifiedfunctionsoftheorganization,specificandidentifiedsectionsoftheorganization,oroneormorefunctionsacrossagroupoforganizations.
3.25maximumacceptableoutageMAOtimeitwouldtakeforadverseimpacts,whichmightariseasaresultofnotprovidingaproduct/serviceorperforminganactivity,tobecomeunacceptableNOTE Seealsomaximumtolerableperiodofdisruption.
3.26maximumtolerableperiodofdisruptionMTPDtimeitwouldtakeforadverseimpacts,whichmightariseasaresultofnotprovidingaproduct/serviceorperforminganactivity,tobecomeunacceptableNOTE Seealsomaximumacceptableoutage.
3.27measurementprocesstodetermineavalue
3.28minimumbusinesscontinuityobjectiveMBCOminimumlevelofservicesand/orproductsthatisacceptabletotheorganizationtoachieveitsbusinessobjectivesduringadisruption
3.29monitoringdeterminingthestatusofasystem,aprocessoranactivityNOTE Todeterminethestatustheremaybeaneedtocheck,superviseorcriticallyobserve.
3.30mutualaidagreementpre-arrangedunderstandingbetweentwoormoreentitiestorenderassistancetoeachother
[SOURCE:ISO22300]
3.31nonconformitynon-fulfilmentofarequirement
[SOURCE:ISO22300]
3.32objectiveresulttobeachieved
NOTE1 Anobjectivecanbestrategic,tacticaloroperational.
NOTE2 Objectivescanrelatetodifferentdisciplines(suchasfinancial,healthandsafety,andenvironmentalgoals)andcanapplyatdifferentlevels[suchasstrategic,organization-wide,project,productandprocess).
NOTE3 Anobjectivecanbeexpressedinotherways,e.g.asanintendedoutcome,apurpose,anoperationalcriterion,asasocietalsecurityobjectiveorbytheuseofotherwordswithsimilarmeaning(e.g.aim,goal,ortarget).
NOTE4 Inthecontextofsocietalsecuritymanagementsystemsstandards,societalsecurityobjectivesaresetbytheorganization,consistentwiththesocietalsecuritypolicy,toachievespecificresults.
3.33organizationpersonorgroupofpeoplethathasitsownfunctionswithresponsibilities,authoritiesandrelationshipstoachieveitsobjectivesNOTE1 Theconceptoforganizationincludes,butisnotlimitedto,sole-trader,company,corporation,firm,enterprise,authority,partnership,charityorinstitution,orpartorcombinationthereof,whetherincorporatedornot,publicorprivate.
NOTE2 Fororganizationswithmorethanoneoperatingunit,asingleoperatingunitcanbedefinedasanorganization.
3.34outsource(verb)makeanarrangementwhereanexternalorganizationperformspartofanorganization’sfunctionorprocessNOTE Anexternalorganizationisoutsidethescopeofthemanagementsystem,althoughtheoutsourcedfunctionorprocessiswithinthescope.
3.35performancemeasurableresultNOTE1 Performancecanrelateeithertoquantitativeorqualitativefindings.
NOTE2 Performancecanrelatetothemanagementofactivities,processes,products(includingservices),systemsororganizations.
3.36performanceevaluationprocessofdeterminingmeasurableresults
3.37personnelpeopleworkingforandunderthecontroloftheorganizationNOTE Theconceptofpersonnelincludes,butisnotlimitedtoemployees,part-timestaff,andagencystaff.
3.38policyintentionsanddirectionofanorganizationasformallyexpressedbyitstopmanagement
3.39procedurespecifiedwaytocarryoutanactivityoraprocess
3.40processsetofinterrelatedorinteractingactivitieswhichtransformsinputsintooutputs
3.41
productsandservicesbeneficialoutcomesprovidedbyanorganizationtoitscustomers,recipientsandinterestedparties,e.g.manufactureditems,carinsuranceandcommunitynursing
3.42prioritizedactivitiesactivitiestowhichprioritymustbegivenfollowinganincidentinordertomitigateimpactsNOTE Termsincommonusetodescribeactivitieswithinthisgroupinclude:critical,essential,vital,urgentandkey.
[SOURCE:ISO22300]
3.43recordstatementofresultsachievedorevidenceofactivitiesperformed
3.44recoverypointobjectiveRPOpointtowhichinformationusedbyanactivitymustberestoredtoenabletheactivitytooperateonresumptionNOTE Canalsobereferredtoas“maximumdataloss”.
3.45recoverytimeobjectiveRTOperiodoftimefollowinganincidentwithinwhich
— productorservicemustberesumed,or
— activitymustberesumed,or
— resourcesmustberecoveredNOTE Forproducts,servicesandactivities,therecoverytimeobjectivemustbelessthanthetimeitwouldtakefortheadverseimpactsthatwouldariseasaresultofnotprovidingaproduct/serviceorperforminganactivitytobecomeunacceptable.
3.46requirementneedorexpectationthatisstated,generallyimpliedorobligatoryNOTE1 “Generallyimplied”meansthatitisacustomaryorcommonpracticefortheorganizationandinterestedpartiesthattheneedorexpectationunderconsiderationisimplied.
NOTE2 Aspecifiedrequirementisonethatisstated,forexampleindocumentedinformation.
3.47resourcesallassets,people,skills,information,technology(includingplantandequipment),premises,andsuppliesandinformation(whetherelectronicornot)thatanorganizationhastohaveavailabletouse,whenneeded,inordertooperateandmeetitsobjective
3.48riskeffectofuncertaintyonobjectives
NOTE1 Aneffectisadeviationfromtheexpected—positiveornegative.
NOTE2 Objectivescanhavedifferentaspects(suchasfinancial,healthandsafety,andenvironmentalgoals)andcanapplyatdifferentlevels(suchasstrategic,organization-wide,project,productandprocess).Anobjectivecanbeexpressedinotherways,e.g.asanintendedoutcome,apurpose,anoperationalcriterion,asabusinesscontinuityobjectiveorbytheuseofotherwordswithsimilarmeaning(e.g.aim,goal,ortarget).
NOTE3 Riskisoftencharacterizedbyreferencetopotentialevents(Guide73,3.5.1.3)andconsequences(Guide73,3.6.1.3),oracombinationofthese.
NOTE4 Riskisoftenexpressedintermsofacombinationoftheconsequencesofanevent(includingchangesincircumstances)andtheassociatedlikelihood(Guide73,3.6.1.1)ofoccurrence.
NOTE5 Uncertaintyisthestate,evenpartial,ofdeficiencyofinformationrelatedto,understandingorknowledgeof,anevent,itsconsequence,orlikelihood.
NOTE6 Inthecontextofbusinesscontinuitymanagementsystemstandards,businesscontinuityobjectivesaresetbytheorganization,consistentwiththebusinesscontinuitypolicy,toachievespecificresults.Whenapplyingthetermriskandcomponentsofriskmanagement,thisshouldberelatedtotheobjectivesoftheorganizationthatinclude,butarenotlimitedtothebusinesscontinuityobjectivesasspecifiedin6.2.
[SOURCE:ISO/IECGuide73]
3.49riskappetiteamountandtypeofriskthatanorganizationiswillingtopursueorretain
3.50riskassessmentoverallprocessofriskidentification,riskanalysisandriskevaluation
[SOURCE:ISOGuide73]
3.51riskmanagementcoordinatedactivitiestodirectandcontrolanorganizationwithregardtorisk
[SOURCE:ISOGuide73]
3.52testingprocedureforevaluation;ameansofdeterminingthepresence,quality,orveracityofsomethingNOTE1 Testingmaybereferredtoa“trial”.
NOTE2 Testingisoftenappliedtosupportingplans.
[SOURCE:ISO22300]
3.53topmanagementpersonorgroupofpeoplewhodirectsandcontrolsanorganizationatthehighestlevelNOTE1 Topmanagementhasthepowertodelegateauthorityandprovideresourceswithintheorganization.
NOTE2 Ifthescopeofthemanagementsystemcoversonlypartofanorganizationthentopmanagementreferstothosewhodirectandcontrolthatpartoftheorganization.
3.54verificationconfirmation,throughtheprovisionofevidence,thatspecifiedrequirementshavebeenfulfilled
3.55
workenvironmentsetofconditionsunderwhichworkisperformedNOTE Conditionsincludephysical,social,psychologicalandenvironmentalfactors(suchastemperature,recognitionschemes,ergonomicsandatmosphericcomposition.
[SOURCE:ISO22300]
4 Contextoftheorganization4.1 UnderstandingoftheorganizationanditscontextTheorganizationshalldetermineexternalandinternalissuesthatarerelevanttoitspurposeandthataffectitsabilitytoachievetheintendedoutcome(s)ofitsBCMS.
Theseissuesshallbetakenintoaccountwhenestablishing,implementingandmaintainingtheorganization’sBCMS.
Theorganizationshallidentifyanddocumentthefollowing:
a) theorganization’sactivities,functions,services,products,partnerships,supplychains,relationshipswithinterestedparties,andthepotentialimpactrelatedtoadisruptiveincident;
b) linksbetweenthebusinesscontinuitypolicyandtheorganization’sobjectivesandotherpolicies,includingitsoverallriskmanagementstrategy;and
c) theorganization’sriskappetite.
Inestablishingthecontext,theorganizationshall
1) articulateitsobjectives,includingthoseconcernedwithbusinesscontinuity,
2) definetheexternalandinternalfactorsthatcreatetheuncertaintythatgivesrisetorisk,
3) setriskcriteriatakingintoaccounttheriskappetite,and
4) definethepurposeoftheBCMS.
4.2 Understandingtheneedsandexpectationsofinterestedparties4.2.1 General
WhenestablishingitsBCMS,theorganizationshalldetermine
a) theinterestedpartiesthatarerelevanttotheBCMS,and
b) therequirementsoftheseinterestedparties(i.e.theirneedsandexpectationswhetherstated,generallyimpliedorobligatory).
4.2.2 Legalandregulatoryrequirements
Theorganizationshallestablish,implementandmaintainaprocedure(s)toidentify,haveaccessto,andassesstheapplicablelegalandregulatoryrequirementstowhichtheorganizationsubscribesrelatedtothecontinuityofitsoperations,productsandservices,aswellastheinterestsofrelevantinterestedparties.
Theorganizationshallensurethattheseapplicablelegal,regulatoryandotherrequirementstowhichtheorganizationsubscribesaretakenintoaccountinestablishing,implementingandmaintainingitsBCMS.
Theorganizationshalldocumentthisinformationandkeepitup-to-date.Neworvariationstolegal,
regulatoryandotherrequirementsshallbecommunicatedtoaffectedemployeesandotherinterestedparties.
4.3 Determiningthescopeofthebusinesscontinuitymanagementsystem4.3.1 General
TheorganizationshalldeterminetheboundariesandapplicabilityoftheBCMStoestablishitsscope.
Whendeterminingthisscope,theorganizationshallconsider
— theexternalandinternalissuesreferredtoin4.1,and
— therequirementsreferredtoin4.2.
Thescopeshallbeavailableasdocumentedinformation.
4.3.2 ScopeoftheBCMS
Theorganizationshall
a) establishthepartsoftheorganizationtobeincludedintheBCMS,
b) establishBCMSrequirements,consideringtheorganization’smission,goals,internalandexternalobligations(includingthoserelatedtointerestedparties),andlegalandregulatoryresponsibilities,
c) identifyproductsandservicesandallrelatedactivitieswithinthescopeoftheBCMS,
d) takeintoaccountinterestedparties’needsandinterests,suchascustomers,investors,shareholders,thesupplychain,publicand/orcommunityinputandneeds,expectationsandinterests(asappropriate),and
e) definethescopeoftheBCMSintermsofandappropriatetothesize,natureandcomplexityoftheorganization.
Whendefiningthescope,theorganizationshalldocumentandexplainexclusions;anysuchexclusionsshallnotaffecttheorganization’sabilityandresponsibilitytoprovidecontinuityofbusinessandoperationsthatmeettheBCMSrequirements,asdeterminedbybusinessimpactanalysisorriskassessmentandapplicablelegalorregulatoryrequirements.
4.4 BusinesscontinuitymanagementsystemTheorganizationshallestablish,implement,maintainandcontinuallyimproveaBCMS,includingtheprocessesneededandtheirinteractions,inaccordancewiththerequirementsofthisInternationalStandard.
5 Leadership5.1 LeadershipandcommitmentPersonsintopmanagementandotherrelevantmanagementrolesthroughouttheorganizationshalldemonstrateleadershipwithrespecttotheBCMS.EXAMPLE ThisleadershipandcommitmentcanbeshownbymotivatingandempoweringpersonstocontributetotheeffectivenessoftheBCMS.
5.2 Managementcommitment
TopmanagementshalldemonstrateleadershipandcommitmentwithrespecttotheBCMSby
— ensuringthatpoliciesandobjectivesareestablishedforthebusinesscontinuitymanagementsystemandarecompatiblewiththestrategicdirectionoftheorganization,
— ensuringtheintegrationofthebusinesscontinuitymanagementsystemrequirementsintotheorganization’sbusinessprocesses,
— ensuringthattheresourcesneededforthebusinesscontinuitymanagementsystemareavailable,
— communicatingtheimportanceofeffectivebusinesscontinuitymanagementandconformingtotheBCMSrequirements,
— ensuringthattheBCMSachievesitsintendedoutcome(s),
— directingandsupportingpersonstocontributetotheeffectivenessoftheBCMS,
— promotingcontinualimprovement,and
— supportingotherrelevantmanagementrolestodemonstratetheirleadershipandcommitmentasitappliestotheirareasofresponsibility.
NOTE1 Referenceto“business”inthisInternationalStandardisintendedtobeinterpretedbroadlytomeanthoseactivitiesthatarecoretothepurposesoftheorganization’sexistence.
Topmanagementshallprovideevidenceofitscommitmenttotheestablishment,implementation,operation,monitoring,review,maintenance,andimprovementoftheBCMSby
— establishingabusinesscontinuitypolicy,
— ensuringthatBCMSobjectivesandplansareestablished,
— establishingroles,responsibilities,andcompetenciesforbusinesscontinuitymanagement,and
— appointingoneormorepersonstoberesponsiblefortheBCMSwiththeappropriateauthorityandcompetenciestobeaccountablefortheimplementationandmaintenanceoftheBCMS.
NOTE2 Thesepersonscanholdotherresponsibilitieswithintheorganization.
Topmanagementshallensurethattheresponsibilitiesandauthoritiesforrelevantrolesareassignedandcommunicatedwithintheorganizationby
— definingthecriteriaforacceptingrisksandtheacceptablelevelsofrisk,
— activelyengaginginexercisingandtesting,
— ensuringthatinternalauditsoftheBCMSareconducted,
— conductingmanagementreviewsoftheBCMS,and
— demonstratingitscommitmenttocontinualimprovement.
5.3 PolicyTopmanagementshallestablishabusinesscontinuitypolicythat
a) isappropriatetothepurposeoftheorganization,
b) providesaframeworkforsettingbusinesscontinuityobjectives,
c) includesacommitmenttosatisfyapplicablerequirements,
d) includesacommitmenttocontinualimprovementoftheBCMS.
TheBCMSpolicyshall
— beavailableasdocumentedinformation,
— becommunicatedwithintheorganization,
— beavailabletointerestedparties,asappropriate,
— bereviewedforcontinuingsuitabilityatdefinedintervalsandwhensignificantchangesoccur
Theorganizationshallretaindocumentedinformationonthebusinesscontinuitypolicy.
5.4 Organizationalroles,responsibilitiesandauthoritiesTopmanagementshallensurethattheresponsibilitiesandauthoritiesforrelevantrolesareassignedandcommunicatedwithintheorganization.
Topmanagementshallassigntheresponsibilityandauthorityfor
a) ensuringthatthemanagementsystemconformstotherequirementsofthisInternationalStandard,and
b) reportingontheperformanceoftheBCMStotopmanagement.
6 Planning6.1 ActionstoaddressrisksandopportunitiesWhenplanningfortheBCMS,theorganizationshallconsidertheissuesreferredtoin4.1andtherequirementsreferredtoin4.2anddeterminetherisksandopportunitiesthatneedtobeaddressedto
— ensurethemanagementsystemcanachieveitsintendedoutcome(s),
— prevent,orreduce,undesiredeffects,
— achievecontinualimprovement.
Theorganizationshallplan
a) actionstoaddresstheserisksandopportunities,
b) howto
1) integrateandimplementtheactionsintoitsBCMSprocesses(see8.1),
2) evaluatetheeffectivenessoftheseactions(see9.1).
6.2 BusinesscontinuityobjectivesandplanstoachievethemTopmanagementshallensurethatbusinesscontinuityobjectivesareestablishedandcommunicatedforrelevantfunctionsandlevelswithintheorganization.
Thebusinesscontinuityobjectivesshall
a) beconsistentwiththebusinesscontinuitypolicy,
b) takeaccountoftheminimumlevelofproductsandservicesthatisacceptabletotheorganizationtoachieveitsobjectives,
c) bemeasurable,
d) takeintoaccountapplicablerequirements,and
e) bemonitoredandupdatedasappropriate.
Theorganizationshallretaindocumentedinformationonthebusinesscontinuityobjectives.
Toachieveitsbusinesscontinuityobjectives,theorganizationshalldetermine
— whowillberesponsible,
— whatwillbedone,
— whatresourceswillberequired,
— whenitwillbecompleted,and
— howtheresultswillbeevaluated.
7 Support7.1 ResourcesTheorganizationshalldetermineandprovidetheresourcesneededfortheestablishment,implementation,maintenanceandcontinualimprovementoftheBCMS.
7.2 CompetenceTheorganizationshall
a) determinethenecessarycompetenceofperson(s)doingworkunderitscontrolthataffectsitsperformance,
b) ensurethatthesepersonsarecompetentonthebasisofappropriateeducation,training,andexperience,
c) whereapplicable,takeactionstoacquirethenecessarycompetence,andevaluatetheeffectivenessoftheactionstaken,and
d) retainappropriatedocumentedinformationasevidenceofcompetence.NOTE Applicableactionscaninclude,forexample:theprovisionoftrainingto,thementoringof,orthereassignmentofcurrentemployedpersons;orthehiringorcontractingofcompetentpersons.
7.3 AwarenessPersonsdoingworkundertheorganization’scontrolshallbeawareof
a) thebusinesscontinuitypolicy,
b) theircontributiontotheeffectivenessoftheBCMS,includingthebenefitsofimprovedbusinesscontinuitymanagementperformance,
c) theimplicationsofnotconformingwiththeBCMSrequirements,and
d) theirownroleduringdisruptiveincidents.
7.4 Communication
TheorganizationshalldeterminetheneedforinternalandexternalcommunicationsrelevanttotheBCMSincluding
a) onwhatitwillcommunicate,
b) whentocommunicate,
c) withwhomtocommunicate.
Theorganizationshallestablish,implement,andmaintainprocedure(s)for
— internalcommunicationamongstinterestedpartiesandemployeeswithintheorganization,
— externalcommunicationwithcustomers,partnerentities,localcommunity,andotherinterestedparties,includingthemedia,
— receiving,documenting,andrespondingtocommunicationfrominterestedparties,
— adaptingandintegratinganationalorregionalthreatadvisorysystem,orequivalent,intoplanningandoperationaluse,ifappropriate,
— ensuringavailabilityofthemeansofcommunicationduringadisruptiveincident,
— facilitatingstructuredcommunicationwithappropriateauthoritiesandensuringtheinteroperabilityofmultiplerespondingorganizationsandpersonnel,whereappropriate,and
— operatingandtestingofcommunicationscapabilitiesintendedforuseduringdisruptionofnormalcommunications.
NOTE Furtherrequirementsforcommunicationinresponsetoanincidentarespecifiedin8.4.3.
7.5 Documentedinformation7.5.1 General
Theorganization’sBCMSshallinclude
— documentedinformationrequiredbythisInternationalStandard,and
— documentedinformationdeterminedbytheorganizationasbeingnecessaryfortheeffectivenessoftheBCMS.
NOTE TheextentofdocumentedinformationforaBCMScandifferfromoneorganizationtoanotherdueto
— thesizeoforganizationanditstypeofactivities,processes,productsandservices,
— thecomplexityofprocessesandtheirinteractions,and
— thecompetenceofpersons.
7.5.2 Creatingandupdating
Whencreatingandupdatingdocumentedinformation,theorganizationshallensureappropriate
a) identificationanddescription(e.g.atitle,date,authororreferencenumber),
b) format(e.g.language,softwareversion,graphics)andmedia(e.g.paper,electronic),andreviewandapprovalforsuitabilityandadequacy.
7.5.3 Controlofdocumentedinformation
DocumentedinformationrequiredbytheBCMSandbythisInternationalStandardshallbecontrolledto
ensure
a) itisavailableandsuitableforuse,whereandwhenitisneeded,
b) itisadequatelyprotected(e.g.fromlossofconfidentiality,improperuse,orlossofintegrity).
Forthecontrolofdocumentedinformation,theorganizationshalladdressthefollowingactivities,asapplicable
— distribution,access,retrievalanduse,
— storageandpreservation,includingpreservationoflegibility,
— controlofchanges(e.g.versioncontrol),
— retentionanddisposition,
— retrievalanduse,
— preservationoflegibility(i.e.clearenoughtoread),and
— preventionoftheunintendeduseofobsoleteinformation.
DocumentedinformationofexternalorigindeterminedbytheorganizationtobenecessaryfortheplanningandoperationoftheBCMSshallbeidentified,asappropriate,andcontrolled.
Whenestablishingcontrolofdocumentedinformation,theorganizationshallensurethatthereisadequateprotectionforthedocumentedinformation(e.g.protectionagainstcompromise,unauthorizedmodificationordeletion).NOTE Accessimpliesadecisionregardingthepermissiontoviewthedocumentedinformation,orthepermissionandauthoritytoviewandchangethedocumentedinformation,etc.
8 Operation8.1 OperationalplanningandcontrolTheorganizationshallplan,implementandcontroltheprocessesneededtomeetrequirements,andtoimplementtheactionsdeterminedin6.1,by
a) establishingcriteriafortheprocesses,
b) implementingcontroloftheprocessesinaccordancewiththecriteria,and
c) keepingdocumentedinformationtotheextentnecessarytohaveconfidencethattheprocesseshavebeencarriedoutasplanned.
Theorganizationshallcontrolplannedchangesandreviewtheconsequencesofunintendedchanges,takingactiontomitigateanyadverseeffects,asnecessary.
Theorganizationshallensurethatoutsourcedprocessesarecontrolled.
8.2 Businessimpactanalysisandriskassessment8.2.1 General
Theorganizationshallestablish,implementandmaintainaformalanddocumentedprocessforbusinessimpactanalysisandriskassessmentthat
a) establishesthecontextoftheassessment,definescriteriaandevaluatesthepotentialimpactofadisruptiveincident,
b) takesintoaccountlegalandotherrequirementstowhichtheorganizationsubscribes,
c) includessystematicanalysis,prioritizationofrisktreatments,andtheirrelatedcosts,
d) definestherequiredoutputfromthebusinessimpactanalysisandriskassessment,and
e) specifiestherequirementsforthisinformationtobekeptup-to-dateandconfidential.NOTE Therearevariousmethodologiesforbusinessimpactanalysisandriskassessmentwhichwilldeterminetheorderinwhichthesewillbeconducted.
8.2.2 Businessimpactanalysis
Theorganizationshallestablish,implement,andmaintainaformalanddocumentedevaluationprocessfordeterminingcontinuityandrecoverypriorities,objectivesandtargets.Thisprocessshallincludeassessingtheimpactsofdisruptingactivitiesthatsupporttheorganization’sproductsandservices.
Thebusinessimpactanalysisshallincludethefollowing:
a) identifyingactivitiesthatsupporttheprovisionofproductsandservices;
b) assessingtheimpactsovertimeofnotperformingtheseactivities;
c) settingprioritizedtimeframesforresumingtheseactivitiesataspecifiedminimumacceptablelevel,takingintoconsiderationthetimewithinwhichtheimpactsofnotresumingthemwouldbecomeunacceptable;and
d) identifyingdependenciesandsupportingresourcesfortheseactivities,includingsuppliers,outsourcepartnersandotherrelevantinterestedparties.
8.2.3 Riskassessment
Theorganizationshallestablish,implement,andmaintainaformaldocumentedriskassessmentprocessthatsystematicallyidentifies,analyses,andevaluatestheriskofdisruptiveincidentstotheorganization.NOTE ThisprocesscouldbemadeinaccordancewithISO31000.
Theorganizationshall
a) identifyrisksofdisruptiontotheorganization’sprioritizedactivitiesandtheprocesses,systems,information,people,assets,outsourcepartnersandotherresourcesthatsupportthem,
b) systematicallyanalyserisk,
c) evaluatewhichdisruptionrelatedrisksrequiretreatment,and
d) identifytreatmentscommensuratewithbusinesscontinuityobjectivesandinaccordancewiththeorganization’sriskappetite.
NOTE Theorganizationmustbeawarethatcertainfinancialorgovernmentalobligationsrequirethecommunicationoftheserisksatvaryinglevelsofdetail.Inaddition,certainsocietalneedscanalsowarrantsharingofthisinformationatanappropriatelevelofdetail.
8.3 Businesscontinuitystrategy8.3.1 Determinationandselection
Determinationandselectionofstrategyshallbebasedontheoutputsfromthebusinessimpactanalysis
andriskassessment.
Theorganizationshalldetermineanappropriatebusinesscontinuitystrategyfor
a) protectingprioritizedactivities,
b) stabilizing,continuing,resumingandrecoveringprioritizedactivitiesandtheirdependenciesandsupportingresources,and
c) mitigating,respondingtoandmanagingimpacts.
Thedeterminationofstrategyshallincludeapprovingprioritizedtimeframesfortheresumptionofactivities.
Theorganizationshallconductevaluationsofthebusinesscontinuitycapabilitiesofsuppliers.
8.3.2 Establishingresourcerequirements
Theorganizationshalldeterminetheresourcerequirementstoimplementtheselectedstrategies.Thetypesofresourcesconsideredshallincludebutnotbelimitedto
a) people,
b) informationanddata,
c) buildings,workenvironmentandassociatedutilities,
d) facilities,equipmentandconsumables,
e) informationandcommunicationtechnology(ICT)systems,
f) transportation,
g) finance,and
h) partnersandsuppliers.
8.3.3 Protectionandmitigation
Foridentifiedrisksrequiringtreatment,theorganizationshallconsiderproactivemeasuresthat
a) reducethelikelihoodofdisruption,
b) shortentheperiodofdisruption,and
c) limittheimpactofdisruptionontheorganization’skeyproductsandservices.
Theorganizationshallchooseandimplementappropriaterisktreatmentsinaccordancewithitsriskappetite.
8.4 Establishandimplementbusinesscontinuityprocedures8.4.1 General
Theorganizationshallestablish,implement,andmaintainbusinesscontinuityprocedurestomanageadisruptiveincidentandcontinueitsactivitiesbasedonrecoveryobjectivesidentifiedinthebusinessimpactanalysis.
Theorganizationshalldocumentprocedures(includingnecessaryarrangements)toensurecontinuityofactivitiesandmanagementofadisruptiveincident.
Theproceduresshall
a) establishanappropriateinternalandexternalcommunicationsprotocol,
b) bespecificregardingtheimmediatestepsthataretobetakenduringadisruption,
c) beflexibletorespondtounanticipatedthreatsandchanginginternalandexternalconditions,
d) focusontheimpactofeventsthatcouldpotentiallydisruptoperations,
e) bedevelopedbasedonstatedassumptionsandananalysisofinterdependencies,and
f) beeffectiveinminimizingconsequencesthroughimplementationofappropriatemitigationstrategies.
8.4.2 Incidentresponsestructure
Theorganizationshallestablish,document,andimplementproceduresandamanagementstructuretorespondtoadisruptiveincidentusingpersonnelwiththenecessaryresponsibility,authorityandcompetencetomanageanincident.
Theresponsestructureshall
a) identifyimpactthresholdsthatjustifyinitiationofformalresponse,
b) assessthenatureandextentofadisruptiveincidentanditspotentialimpact,
c) activateanappropriatebusinesscontinuityresponse,
d) haveprocesses,andproceduresfortheactivation,operation,coordination,andcommunicationoftheresponse,
e) haveresourcesavailabletosupporttheprocessesandprocedurestomanageadisruptiveincidentinordertominimizeimpact,and
f) communicatewithinterestedpartiesandauthorities,aswellasthemedia.
Theorganizationshalldecide,usinglifesafetyasthefirstpriorityandinconsultationwithrelevantinterestedparties,whethertocommunicateexternallyaboutitssignificantrisksandimpactsanddocumentitsdecision.Ifthedecisionistocommunicatethentheorganizationshallestablishandimplementproceduresforthisexternalcommunication,alertsandwarningsincludingthemediaasappropriate.
8.4.3 Warningandcommunication
Theorganizationshallestablish,implementandmaintainproceduresfor
a) detectinganincident,
b) regularmonitoringofanincident,
c) internalcommunicationwithintheorganizationandreceiving,documentingandrespondingtocommunicationfrominterestedparties,
d) receiving,documentingandrespondingtoanynationalorregionalriskadvisorysystemorequivalent,
e) assuringavailabilityofthemeansofcommunicationduringadisruptiveincident,
f) facilitatingstructuredcommunicationwithemergencyresponders,
g) recordingofvitalinformationabouttheincident,actionstakenanddecisionsmade,andthefollowing
shallalsobeconsideredandimplementedwhereapplicable:
— alertinginterestedpartiespotentiallyimpactedbyanactualorimpendingdisruptiveincident;
— assuringtheinteroperabilityofmultiplerespondingorganizationsandpersonnel;
— operationofacommunicationsfacility.
Thecommunicationandwarningproceduresshallberegularlyexercised.
8.4.4 Businesscontinuityplans
Theorganizationshallestablishdocumentedproceduresforrespondingtoadisruptiveincidentandhowitwillcontinueorrecoveritsactivitieswithinapredeterminedtimeframe.Suchproceduresshalladdresstherequirementsofthosewhowillusethem.
Thebusinesscontinuityplansshallcollectivelycontain
a) definedrolesandresponsibilitiesforpeopleandteamshavingauthorityduringandfollowinganincident,
b) aprocessforactivatingtheresponse,
c) detailstomanagetheimmediateconsequencesofadisruptiveincidentgivingdueregardto
1) thewelfareofindividuals,
2) strategic,tacticalandoperationaloptionsforrespondingtothedisruption,and
3) preventionoffurtherlossorunavailabilityofprioritizedactivities;
d) detailsonhowandunderwhatcircumstancestheorganizationwillcommunicatewithemployeesandtheirrelatives,keyinterestedpartiesandemergencycontacts,
e) howtheorganizationwillcontinueorrecoveritsprioritizedactivitieswithinpredeterminedtimeframes,
f) detailsoftheorganization’smediaresponsefollowinganincident,including
1) acommunicationsstrategy,
2) preferredinterfacewiththemedia,
3) guidelineortemplatefordraftingastatementforthemedia,and
4) appropriatespokespeople;
g) aprocessforstandingdownoncetheincidentisover.
Eachplanshalldefine
— purposeandscope,
— objectives,
— activationcriteriaandprocedures,
— implementationprocedures,
— roles,responsibilities,andauthorities,
— communicationrequirementsandprocedures,
— internalandexternalinterdependenciesandinteractions,
— resourcerequirements,and
— informationflowanddocumentationprocesses.
8.4.5 Recovery
Theorganizationshallhavedocumentedprocedurestorestoreandreturnbusinessactivitiesfromthetemporarymeasuresadoptedtosupportnormalbusinessrequirementsafteranincident.
8.5 ExercisingandtestingTheorganizationshallexerciseandtestitsbusinesscontinuityprocedurestoensurethattheyareconsistentwithitsbusinesscontinuityobjectives.
Theorganizationshallconductexercisesandteststhat
a) areconsistentwiththescopeandobjectivesoftheBCMS,
b) arebasedonappropriatescenariosthatarewellplannedwithclearlydefinedaimsandobjectives,
c) takentogetherovertimevalidatethewholeofitsbusinesscontinuityarrangements,involvingrelevantinterestedparties,
d) minimizetheriskofdisruptionofoperations,
e) produceformalizedpost-exercisereportsthatcontainoutcomes,recommendationsandactionstoimplementimprovements,
f) arereviewedwithinthecontextofpromotingcontinualimprovement,and
g) areconductedatplannedintervalsandwhentherearesignificantchangeswithintheorganizationortotheenvironmentinwhichitoperates.
9 Performanceevaluation9.1 Monitoring,measurement,analysisandevaluation9.1.1 General
Theorganizationshalldetermine
a) whatneedstobemonitoredandmeasured,
b) themethodsformonitoring,measurement,analysisandevaluation,asapplicable,toensurevalidresults,
c) whenthemonitoringandmeasuringshallbeperformed,and
d) whentheresultsfrommonitoringandmeasurementshallbeanalysedandevaluated.
Theorganizationshallretainappropriatedocumentedinformationasevidenceoftheresults.
TheorganizationshallevaluatetheBCMSperformanceandtheeffectivenessoftheBCMS.
Additionally,theorganizationshall
— takeactionwhennecessarytoaddressadversetrendsorresultsbeforeanonconformityoccurs,and
— retainrelevantdocumentedinformationasevidenceoftheresults.
Theproceduresformonitoringperformanceshallprovidefor
— thesettingofperformancemetricsappropriatetotheneedsoftheorganization,
— monitoringtheextenttowhichtheorganization’sbusinesscontinuitypolicy,objectivesandtargetsaremet,
— performanceoftheprocesses,proceduresandfunctionsthatprotectitsprioritizedactivities,
— monitoringcompliancewiththisInternationalStandardandthebusinesscontinuityobjectives,
— monitoringhistoricalevidenceofdeficientBCMS’performance,and
— recordingdataandresultsofmonitoringandmeasurementtofacilitatesubsequentcorrectiveactions.NOTE Deficientperformancecouldincludenon-conformity,nearmisses,falsealarms,andactualincidents.
9.1.2 Evaluationofbusinesscontinuityprocedures
a) Theorganizationshallconductevaluationsofitsbusinesscontinuityproceduresandcapabilitiesinordertoensuretheircontinuingsuitability,adequacyandeffectiveness;
b) Theseevaluationsshallbeundertakenthroughperiodicreviews,exercising,testing,post-incidentreportingandperformanceevaluations.Significantchangesarisingshallbereflectedintheprocedure(s)inatimelymanner;
c) Theorganizationshallperiodicallyevaluatecompliancewithapplicablelegalandregulatoryrequirements,industrybestpractices,andconformancewithitsownbusinesscontinuitypolicyandobjectives;and
d) Theorganizationshallconductevaluationsatplannedintervalsandwhensignificantchangesoccur.
Whenadisruptiveincidentoccursandresultsintheactivationofitsbusinesscontinuityprocedures,theorganizationshallundertakeapost-incidentreviewandrecordtheresults.
9.2 InternalauditTheorganizationshallconductinternalauditsatplannedintervalstoprovideinformationonwhetherthebusinesscontinuitymanagementsystem
a) conformsto
1) theorganization’sownrequirementsforitsBCMS,
2) therequirementsofthisInternationalStandard,and
b) iseffectivelyimplementedandmaintained.
Theorganizationshall
— plan,establish,implementandmaintain(an)auditprogramme(s),includingthefrequency,methods,responsibilities,planningrequirementsandreporting.Theauditprogramme(s)shalltakeintoconsiderationtheimportanceoftheprocessesconcernedandtheresultsofpreviousaudits,
— definetheauditcriteriaandscopeforeachaudit,
— selectauditorsandconductauditstoensureobjectivityandtheimpartialityoftheauditprocess,
— ensurethattheresultsoftheauditsarereportedtorelevantmanagement,and
— retaindocumentedinformationasevidenceoftheimplementationoftheauditprogrammeandtheauditresults.
Theauditprogramme,includinganyschedule,shallbebasedontheresultsofriskassessmentsoftheorganization’sactivities,andtheresultsofpreviousaudits.Theauditproceduresshallcoverthescope,frequency,methodologiesandcompetencies,aswellastheresponsibilitiesandrequirementsforconductingauditsandreportingresults.
Themanagementresponsiblefortheareabeingauditedshallensurethatanynecessarycorrectionsandcorrectiveactionsaretakenwithoutunduedelaytoeliminatedetectednonconformitiesandtheircauses.Follow-upactivitiesshallincludetheverificationoftheactionstakenandthereportingofverificationresults.
9.3 ManagementreviewTopmanagementshallreviewtheorganization’sBCMS,atplannedintervals,toensureitscontinuingsuitability,adequacyandeffectiveness.
Themanagementreviewshallincludeconsiderationof
a) thestatusofactionsfrompreviousmanagementreviews,
b) changesinexternalandinternalissuesthatarerelevanttothebusinesscontinuitymanagementsystem,
c) informationonthebusinesscontinuityperformance,includingtrendsin
1) nonconformitiesandcorrectiveactions,
2) monitoringandmeasurementevaluationresults,and
3) auditresults,
d) opportunitiesforcontinualimprovement.
Managementreviewsshallconsidertheperformanceoftheorganization,including
— follow-upactionsfrompreviousmanagementreviews,
— theneedforchangestotheBCMS,includingthepolicyandobjectives,
— opportunitiesforimprovement,
— resultsofBCMSauditsandreviews,includingthoseofkeysuppliersandpartnerswhereappropriate,
— techniques,productsorprocedures,whichcouldbeusedintheorganizationtoimprovetheBCMS’performanceandeffectiveness,
— statusofcorrectiveactions,
— resultsofexercisingandtesting,
— risksorissuesnotadequatelyaddressedinanypreviousriskassessment,
— anychangesthatcouldaffecttheBCMS,whetherinternalorexternaltothescopeoftheBCMS,
— adequacyofpolicy,
— recommendationsforimprovement,
— lessonslearnedandactionsarisingfromdisruptiveincidents,and
— emerginggoodpracticeandguidance.
TheoutputsofthemanagementreviewshallincludedecisionsrelatedtocontinualimprovementopportunitiesandthepossibleneedforchangestotheBCMS,andincludethefollowing:
a) variationstothescopeoftheBCMS;
b) improvementoftheeffectivenessoftheBCMS;
c) updateoftheriskassessment,businessimpactanalysis,businesscontinuityplansandrelatedprocedures;
d) modificationofproceduresandcontrolstorespondtointernalorexternaleventsthatmayimpactontheBCMS,includingchangesto
1) businessandoperationalrequirements,
2) riskreductionandsecurityrequirements,
3) operationalconditionsandprocesses,
4) legalandregulatoryrequirements,
5) contractualobligations,
6) levelsofriskand/orcriteriaforacceptingrisks,
7) resourceneeds,
8) fundingandbudgetrequirements;and
e) howtheeffectivenessofcontrolsaremeasured.
Theorganizationshallretaindocumentedinformationasevidenceoftheresultsofmanagementreviews.
Theorganizationshall
— communicatetheresultsofmanagementreviewtorelevantinterestedparties,and
— takeappropriateactionrelatingtothoseresults.
10 Improvement10.1 NonconformityandcorrectiveactionWhennonconformityoccurs,theorganizationshall
a) identifythenonconformity,
b) reacttothenonconformity,and,asapplicable,
1) takeactiontocontrolandcorrectit,and
2) dealwiththeconsequences.
c) evaluatetheneedforactiontoeliminatethecausesofthenonconformity,inorderthatitdoesnotrecuroroccurelsewhere,by
1) reviewingthenonconformity,
2) determiningthecausesofthenonconformity,and
3) determiningifsimilarnonconformitiesexist,orcouldpotentiallyoccur,
4) evaluatingtheneedforcorrectiveactiontoensurethatnonconformitiesdonotrecuroroccurelsewhere,
5) determiningandimplementingcorrectiveactionneeded,
6) reviewingtheeffectivenessofanycorrectiveactiontakenand
7) makingchangestotheBCMS,ifnecessary.
d) implementanyactionneeded,
e) reviewtheeffectivenessofanycorrectiveactiontaken,
f) makechangestothebusinesscontinuitymanagementsystem,ifnecessary.
Correctiveactionsshallbeappropriatetotheeffectsofthenonconformitiesencountered.
Theorganizationshallretaindocumentedinformationasevidenceof
— thenatureofthenonconformitiesandanysubsequentactionstaken,and
— theresultsofanycorrectiveaction.
10.2 ContinualimprovementTheorganizationshallcontinuallyimprovethesuitability,adequacyoreffectivenessoftheBCMS.NOTE TheorganizationcanusetheprocessesoftheBCMSsuchasleadership,planningandperformanceevaluation,toachieveimprovement.
Bibliography[1] ISO9001,Qualitymanagementsystems—Requirements
[2] ISO14001,Environmentalmanagementsystems—Requirementswithguidanceforuse
[3] ISO19011,Guidelinesforauditingmanagementsystems
[4] ISO/IEC20000-1,InformationTechnology—ServiceManagement
[5] ISO22300,Societalsecurity—Terminology
[6] ISO/PAS22399,Societalsecurity—Guidelineforincidentpreparednessandoperationalcontinuitymanagement
[7] ISO/IEC24762,Informationtechnology—Securitytechniques—GuidelinesforInformationandcommunicationstechnologydisasterrecoveryservices
[8] ISO/IEC27001,InformationSecurityManagementSystems
[9] ISO/IEC27031,Informationtechnology—Securitytechniques—Guidelinesforinformationandcommunicationtechnologyreadinessforbusinesscontinuity
[10] ISO31000,RiskManagement—PrinciplesandGuidelines
[11] ISO/IEC31010,Riskmanagement—Riskassessmenttechniques
[12] ISO/IECGuide73,Riskmanagement—Vocabulary
[13] BS25999-1,Businesscontinuitymanagement—Codeofpractice,BritishStandardsInstitution(BSI)
[14] BS25999-2,Businesscontinuitymanagement—Specification,BritishStandardsInstitution(BSI)
[15] SI24001,Securityandcontinuitymanagementsystems—Requirementsandguidanceforuse,StandardsInstitutionofIsrael
[16] NFPA1600,Standardondisaster/emergencymanagementandbusinesscontinuityprograms,NationalFireProtectionAssociation(USA)
[17] BusinessContinuityPlanDraftingGuideline,MinistryofEconomy,TradeandIndustry(Japan),2005
[18] BusinessContinuityGuideline,CentralDisasterManagementCouncil,CabinetOffice,GovernmentofJapan,2005
[19] ANSI/ASISSPC.1,OrganizationalResilience:Security,Preparedness,andContinuityManagementSystems–RequirementswithGuidanceforUse
[20] SS540:2008,SingaporeStandardforBusinessContinuityManagement
[21] ANSI/ASIS/BSIBCM.01,BusinessContinuityManagementSystems:RequirementswithGuidanceforUse